The General Data Protection Regulation (GPDR) was widely hailed for bringing in tougher new sanctions that regulators hoped would give them more powers of enforcement.
For most businesses 4% of annual global turnover is indeed a significant amount. However in a world of Googles and Facebooks, many have questioned whether even these larger fines could be absorbed as a “cost of doing business” with little or no deterrent effect. Nonetheless with data protection authorities across Europe flexing their muscles, the increase in potential fines seemed, for now, sufficient.
But this week (8 November) the British watchdog, the Information Commissioner’s Office (ICO) said that it wanted further powers to seize assets – including data – under the Proceeds of Crime Act 2002 (POCA).
It’s a bold move, but the ICO argues: “Personal data has a monetary value and is increasingly being recognised and treated as a commodity which is stolen and traded for financial gain. It is an asset exploited by criminal gangs, which can lead to significant financial losses and illegal monetary gains.”
The proposed new rules would only apply in the case of criminal offenses, which are recordable under the current data protection law. But the only sanction available to the courts is a fine. Similar to the “cost of doing business” scenario noted above, criminals could shrug this off as the fine is likely to be much less than the financial gains made by the offender. “This will inevitably lead to a greater disparity between the deterrent and punitive effects of sanctions imposed in relation to civil breaches and criminal offences,” said the ICO.
The ICO says that proceeds of crime confiscation orders would enable the authority to determine the value of a criminal’s proceeds from crime. In the UK, POCA seizures from convicted individuals are permitted up to the equivalent value to their benefit from crime.
The agency is seeking relevant authorisation powers for “cash seizure, detention and forfeiture from premises; asset seizure and forfeiture from premises; and access to information relevant to the investigation of money laundering offences.”
“The powers sought will enable the ICO to undertake confiscation investigations and apply to the court for restraint of any asset or realisable property when there is evidence to show that a defendant in criminal proceedings has benefited from their conduct,” according to the ICO.
“Access to information relevant to the investigation of money laundering offences is being sought to enable the ICO to respond to the changing nature of criminal activity involving the misuse of personal data, and to engage with other law enforcement agencies more effectively in cases which may involve offences of money laundering,” continued the statement.
“This is deeply encouraging news,” said Paul May, Director and Co-founder of Webxray. “My own experience in anti-money laundering investigation gave me an insight into the impact POCA confiscation and seizure orders have in expediting investigations and asset-recovery. The absence of such powers tie the hands of European data protection regulators. Financial regulators in the UK already arguably require extended power to seize assets, so it is only logical that the Information Commissioner’s office requires at the very least equivalent enforcement capabilities, even extending to civil recovery, SCPO (serious crime prevention orders) and unexplained wealth orders.”
“It has long been known that personal data is regarded as an asset and is treated as a financial asset by the industry – bid on and traded on at an exchange as a commodity. It is therefore only appropriate that the head of industry oversight in this area be granted equivalent powers to investigate and prosecute malicious actors,” May continued.
To have access to the POCA powers, AFIs must currently be a member of staff of a public body, designation by order by the Secretary of State, and trained and accredited by the National Crime Agency.
The ICO previously worked in partnership with other agencies which conducted financial investigations, but is now seeking an Accredited Financial Investigator (AFI) within its own organisation.
According to May, the statement from the Commissioner’s office that partner agencies “are no longer able to provide assistance,” only highlights that this is a matter of urgency.
“Without POCA powers from partner agencies the ICO could be constrained, and an encumbered ICO is in no-one’s interests,” he said. “The ICO requesting these powers also emboldens the small number of us in data protection who focus on investigating the assets and ownership of the companies who abuse personal data as a commodity, and those who appropriate it without transparency or consent.”
Asked by CPO magazine why partner agencies were no longer an option, the ICO refused to comment further.